Reefa Posted December 12, 2014 Share Posted December 12, 2014 Last August, we blogged about a series of Ransomware that included SynoLocker and CryptoWall. In our Cryptowall blogpost, we briefly mentioned the more advanced family of ransomware CTB-Locker, which uses elliptic curve cryptography for file encryption and Tor for communication with the command & control server.This week, another ransomware emerged using the same cryptography for encryption. It was first spotted by Trojan7Malware from a malvertising campaign that used RIG exploit kit. They dubbed the malware as OphionLocker.Upon infection, this malware uses a Tor2web URL for giving instructions on how to send the payment and obtain the decrpytor tool.This ransomware encrypts files with the following extensions:Here is the message that will be shown to the user after encryption:Multiple text files with the format ENCRYPTED[..].txt will be created, which contains the generated Hardware ID for the victim’s machine. Entering the hwid will display the ransom message that asks for 1 BTC.If, however, the infection happens on a virtual environment, OphionLocker has a slightly different trick. Though it still gives you a hwid, the message shown does not ask for a ransom payment.It gives the decryptor for free! Now, we know that sounds too good to be true, yet we still have to try it out. Just in case they’re nice to security researchers. Testing the decryptor will show the following message: Upon clicking “OK", it will immediately pop another message:But unfortunately, no files were decrypted. SHA1:eb78b7079fabecbec01a23c006227246e78126ab (ransomware) - Trojan:W32/Ransomware.DSource Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted December 12, 2014 Share Posted December 12, 2014 not good Link to comment Share on other sites More sharing options...
nIGHT Posted December 15, 2014 Share Posted December 15, 2014 This is not good. :spank: Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.